diff --git a/openssl-1.0.1d-s3-packet.patch b/openssl-1.0.1d-s3-packet.patch deleted file mode 100644 index 583cb56..0000000 --- a/openssl-1.0.1d-s3-packet.patch +++ /dev/null @@ -1,76 +0,0 @@ -https://bugs.gentoo.org/456108 - -taken from upstream - -From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" -Date: Thu, 7 Feb 2013 21:06:37 +0000 -Subject: [PATCH] Fix IV check and padding removal. - -Fix the calculation that checks there is enough room in a record -after removing padding and optional explicit IV. (by Steve) - -For AEAD remove the correct number of padding bytes (by Andy) ---- - ssl/s3_cbc.c | 33 ++++++++++++--------------------- - 1 file changed, 12 insertions(+), 21 deletions(-) - -diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c -index ce77acd..0f60507 100644 ---- a/ssl/s3_cbc.c -+++ b/ssl/s3_cbc.c -@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s, - unsigned mac_size) - { - unsigned padding_length, good, to_check, i; -- const char has_explicit_iv = -- s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION; -- const unsigned overhead = 1 /* padding length byte */ + -- mac_size + -- (has_explicit_iv ? block_size : 0); -- -- /* These lengths are all public so we can test them in non-constant -- * time. */ -- if (overhead > rec->length) -- return 0; -- -- /* We can always safely skip the explicit IV. We check at the beginning -- * of this function that the record has at least enough space for the -- * IV, MAC and padding length byte. (These can be checked in -- * non-constant time because it's all public information.) So, if the -- * padding was invalid, then we didn't change |rec->length| and this is -- * safe. If the padding was valid then we know that we have at least -- * overhead+padding_length bytes of space and so this is still safe -- * because overhead accounts for the explicit IV. */ -- if (has_explicit_iv) -+ const unsigned overhead = 1 /* padding length byte */ + mac_size; -+ /* Check if version requires explicit IV */ -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) - { -+ /* These lengths are all public so we can test them in -+ * non-constant time. -+ */ -+ if (overhead + block_size > rec->length) -+ return 0; -+ /* We can now safely skip explicit IV */ - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - } -+ else if (overhead > rec->length) -+ return 0; - - padding_length = rec->data[rec->length-1]; - -@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s, - if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) - { - /* padding is already verified */ -- rec->length -= padding_length; -+ rec->length -= padding_length + 1; - return 1; - } - --- -1.8.0.2 - diff --git a/openssl-1.0.1d.tar.gz b/openssl-1.0.1d.tar.gz deleted file mode 100644 index a34e74f..0000000 --- a/openssl-1.0.1d.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:88a423f9b08a994054583691b968815875580e12df754e881d7cfe9f1bd1f49d -size 4459791 diff --git a/openssl-1.0.1d.tar.gz.asc b/openssl-1.0.1d.tar.gz.asc deleted file mode 100644 index 3ef920f..0000000 --- a/openssl-1.0.1d.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQEVAwUAURDz9qLSm3vylcdZAQKqkggAv4350IUv8kUR0EFl1RMZdal5aie5vFCB -qBDdF8CAWRPoZy1QN+yLtTzobthGaLFbbibILo2dAwUm2VFpt0GbOe3NkX8EUpZj -neTT9fSMm0uVCt0qwoap+GtvVypmuRR3fR8TMW2injL/M8nkZDNkuJeVvpOXdSZZ -h/hyZCzDy/QC1yZDR6xczGkVdszTEo7C5k34RvKZOuN5u2Bs290HGEqPNo7UsgCq -MiJBHKMmWB48CefctVhySYhr8ftANctZW6dDGOsj/0Jc4s5IptNFM0LwjJLh4671 -IqtAKCSk0ShH/ehnpbpmndrSfhLJwNnBA/a4FWyEdZ1AzkXKZsed9g== -=AVm4 ------END PGP SIGNATURE----- diff --git a/openssl-1.0.1e.tar.gz b/openssl-1.0.1e.tar.gz new file mode 100644 index 0000000..b372136 --- /dev/null +++ b/openssl-1.0.1e.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 +size 4459777 diff --git a/openssl-1.0.1e.tar.gz.asc b/openssl-1.0.1e.tar.gz.asc new file mode 100644 index 0000000..80d404f --- /dev/null +++ b/openssl-1.0.1e.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iQEVAwUAURkNmqLSm3vylcdZAQIW+QgAvzzm4hlt+QUHVLkMW0eiiJeTk+ZNqAAe +ver8u+JwEGUiNA2Tq0/9n+/vmLlAC48lRiZpviVAq3olbmmEWi4FrsToEoNOp9Ho +tr++fq4kGcLSnqRu6gy4unJZVy9U1RZRGCxESTI5nvsneLQGs34lpBxRpQ/Q0Iqg +h3NZJkdbX5oL+pKgEtQV25HFoKnEWe1mqVkTZPaTE4mfSr3Uc0+NjOkKaxm5ud+9 +CZBSqesMPohUWo8Fm9BxkCZuZ6SwTUWHUzZvODANp8VyjderZdWhVlGc6E0zV6SU +TlmjCpOblE7CP26QC+SttDRx8nM+Qd5HTLq10ciX1UX1YD8n4XtRFg== +=IVUi +-----END PGP SIGNATURE----- diff --git a/openssl.changes b/openssl.changes index c971b9b..c6876c0 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 12 00:08:06 UTC 2013 - hrvoje.senjan@gmail.com + +- Update to 1.0.1e + o Bugfix release (bnc#803004) +- Drop openssl-1.0.1d-s3-packet.patch, included upstream + ------------------------------------------------------------------- Sun Feb 10 20:33:51 UTC 2013 - hrvoje.senjan@gmail.com diff --git a/openssl.spec b/openssl.spec index 7eab170..f4a04df 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ Provides: ssl %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version: 1.0.1d +Version: 1.0.1e Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -46,8 +46,6 @@ Patch1: openssl-1.0.0-c_rehash-compat.diff Patch2: bug610223.patch Patch3: openssl-ocloexec.patch Patch4: VIA_padlock_support_on_64systems.patch -# PATCH-FIX-UPSTREAM openssl-1.0.1d-s3-packet.patch Fix the calculation that checks there is enough room in a record after removing padding and optional explicit IV bnc#803004, openssl ticket#2975 -Patch5: openssl-1.0.1d-s3-packet.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -178,7 +176,6 @@ Authors: %patch2 -p1 %patch3 %patch4 -p1 -%patch5 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags